September 26, 2023 • 48 mins
Do you know how to protect your device from the Xenomorph Banking Trojan? Join us as we dive into the murky waters of Android security threats with our enlightening guest, Blake Rea. We unmask the frightening reality of this new Trojan, aimed solely at Android users. With a chilling focus on over 35 financial institutions and some crypto wallets, the need to understand and shield ourselves from this threat is apparent. As we unravel the differences between Android and Apple devices' security, we investigate a compelling conversation around trust and privacy, scrutinizing the potential for hardware chips that spy on us.
With the advent of the Xenomorph Banking Trojan looming, we guide you through the labyrinth of secure banking and device protection. How safe is it to download apps from the Google Play Store? Can a password manager protect you from threats? We answer these questions and more, offering pearls of wisdom on everything from encrypted drives and strong passwords to limiting app permissions. We also dissect the critical role of reading the Terms & Conditions of software applications - an often neglected, yet vital protective measure.
Switching gears, we delve into the intriguing world of social engineering and its dramatic impact on businesses. We unravel how trust is manipulated and the crucial need for verifying information in online banking. We share indispensable tips on SIM swap attacks and much more!
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Craig Petronella (00:04):
All right, welcome to another episode.
We've got Blake Gray with us.
Blake Rea (00:10):
Yeah, we're here again.
We're showing up.
Craig Petronella (00:14):
All right, we're back on track.
Yeah yeah, one of the things wewanted to talk about today is
the Xenomorph banking Trojan,which is specifically affecting
Android users.
Right yeah, that's correct.
This new variant is targetingover 35 different financial
(00:37):
banking institutions.
Pretty nasty malware.
Looks like it's supported by anation state or I don't know
about that.
Blake Rea (00:50):
They also did say that it was also affecting
certain crypto wallets, whichwas interesting to me.
Craig Petronella (00:56):
Yeah, they're basically after credentials
access, balance information,initiate transactions, obtain
MFA tokens from authenticatorapps and perform fund transfers.
Blake Rea (01:12):
Hmm, interesting.
It did say that it was onlyaffecting Android 13.
So I'm not an Android user, butI don't know where they are in
terms of the Android updates.
I mean, I always recommendpeople just update immediately.
(01:33):
Check your phone every week atleast for updates, but I'm
curious to see where they are inthe Android update pipeline.
Craig Petronella (01:44):
Yeah, I think this goes back to one of my
recommendations a long time agois whenever doing banking or
crypto transfers or somethinglike that, make sure your device
is security gardens.
You want to make sure you'reall updated and patched.
Ideally, you do not want to usethe same device that you have
maybe a bazillion kids apps onthat.
(02:05):
You may not know the securityof all those apps.
So you want to try.
I know it's hard, but try touse a more secure device that
doesn't have much on it to dothese things.
Use a desktop.
Make sure your OS is patched inyour desktop.
Whether you're a Mac or aWindows user, same applies, but
(02:27):
it seems like Android's beenreally getting a lot of malware
recently.
Blake Rea (02:33):
Yeah, I mean, I've never really trusted Android
personally.
I don't know why, Maybe it'sjust a subconscious thing.
As an Apple user, I've alwaysknown Apple devices to be pretty
security focused.
So they are on Android 14 now,so this is for people that are
using last generation of Androidoperating systems.
(02:55):
But yeah, so I've just neverreally been a big fan of Android
and maybe I could be mistaken,but it just seems like they have
more security issues than iOSdevices.
Craig Petronella (03:13):
Yeah, well, you know iOS has had some zero
days recently, in the past fewweeks too.
So I mean, I feel like it'skind of pick your poison.
You know, obviously nothing isfoolproof, but I do think Apple
is doing a pretty good job ofprivacy and security.
I think that their job is alittle easier because they're
(03:35):
engineering the hardware and thesoftware.
You know I talked about thistoo, where Microsoft or Android,
for example, you got all thesedifferent hardware manufacturers
that have to make theirhardware up to a certain
standard.
There might be some variancesthere.
There might be some securityflaws in the hardware itself
that you may not know about.
That can contribute to problems.
(03:55):
I know a long time ago there wasI don't know if you remember
this, blake there wasspeculation around computer
hardware chips that, at thehardware level, could be spying
on people.
Do you remember Now?
Yeah, I remember that, gosh,I'll have to dig it up and find
it.
(04:16):
But there's you know I'veactually talked about this a
long time ago as well where youknow we trust, as consumers and
people, especially brand nameslike household names like Google
, right, and Apple.
You know these companies usereally large marketing budgets
(04:37):
and branding campaigns, and youknow.
Most of us, I would say,probably trust these companies
to use their products andservices.
And my point is that you don'tknow if you're not buying
something like Apple, whereApple is manufacturing the
hardware and the software.
But even with Apple, you don'treally know.
(04:58):
You know they're off shoringthe building.
You don't really know, like,what happens at the factory
level.
Right, I mean, who knows what?
You know what I mean, right?
So my point is that we talk alot about employee training and
testing and drilling, and I'mnot insinuating that something
bad is happening.
I'm just saying, like, how dowe know, right?
(05:20):
I mean, how do you know that ina factory you've got hundreds
or maybe thousands of workersand robots and all sorts of
stuff happening where they'reputting these chips in these
devices?
How do you really know if achip doesn't have some kind of
backdoor in it?
Right, you know.
So it's we talked about.
You know the internet and TCPIP and and how.
(05:44):
Tcp IP by nature is not reallya great secure internet protocol
tool for the internet, right?
So we've put all these layerson top of it, like encryption
and SSL certificates and allthis stuff to kind of patch it
up and bubblegum and duct tapeit right, but it's not secure
out of the gate and you know itgoes back to the layers that we
(06:05):
talked about.
But what do you do if there's achip in in something?
That I mean that you don't knowabout?
But right, I mean, I mean ifyou just take a minute to think
about that, I mean there couldbe a chip inside of your iPhone
or your Android device and howdo you really know that there's
not something happening?
(06:26):
You know, I know there's oneproduct that came out from one
of our partners where they theyencrypt the keystrokes on the
device.
This is a desktop softwareapplication, but they also tell
you when a certain applicationis listening to you through your
microphone or trying to captureyour screen.
(06:46):
And I have to say you know, inevaluating their product, it's
really alarming to see bigbrands like Adobe, microsoft
just common names wanting accessto your microphone or your
camera.
I mean like when you're lookingat a PDF or like a Word
document, like Like locationsettings too, like what's the
(07:07):
point?
Yeah, but I mean like these,nobody really.
I'm sure most I can't saynobody, but I would say most
people don't really read thedetailed terms and conditions of
all the rights that thesesoftware programs can have.
But I thought it was quitealarming to see that, hey, adobe
wants to capture your screenand listen through your
(07:28):
microphone when I'm looking at aPDF.
You know like what.
You know what I mean.
I think that's pretty crazy.
Blake Rea (07:35):
Yeah, and they, it seems like they all kind of spin
it in the form of like hey, wewant to better your user
experience.
Yeah, that's like okay, youknow, I mean I get maybe to a
degree like capturing the screenand saying like, oh okay, well,
people are trying to click herefor this tool or click there
(07:56):
for that tool, or maybe they'regetting stuck in certain parts
of the user interface, right,Totally to a degree
understandable.
But I mean, is it reallyacceptable?
You know, yeah, I don't knowhow I feel about that personally
.
Craig Petronella (08:17):
So yeah, I mean going back to this malware.
I think maybe some of ourlisteners were like you know?
Like what do we do?
You know?
Everything's kind of doom andgloom, right.
I think the really the takeawayis that with a bank I mean as
long as you have a certainamount of funds that don't
exceed the $250,000 limit you'reprotected by FDIC insurance.
(08:40):
So in the event that somethinghappens bad, you've got that
insurance lay.
I'm not saying to bank on that,I'm not saying that, you know,
maybe one day you'll get yourmoney and hurry up and wait in
line, kind of thing.
Obviously, you have to take yourown security measures into
place, but I think it goes backto making sure you're using a
(09:01):
secure device, trying not totype in the URLs.
You know, use a passwordmanager, save your bank
information.
It would encrypted drive.
Ideally, don't store it on yourcomputer at all if you can, but
as far as like the URL or thewebsite of the bank, store that
in the password manager and oryour favorites, or you know,
(09:23):
don't type it in because you canfat finger it.
And that's what the hackers arebanking on.
They're trying to registerthese domains that are often fat
fingered and that's how you getphishing or malware on your
computer and then in turn deploysome type of bad software like
this one here.
But this one's pretty rampanton the Android devices.
(09:45):
So maybe the you know, like yousaid, like you know, this is
targeting the older version, soobviously it goes with.
Obviously make sure you updateand patch your Android devices.
But you know, again, it goesback to the layers that we
talked about.
So patching is a layer.
You know your device, how touse that device, for who you're
(10:07):
sharing it with, what otherapplications are on that device.
Try to use a desktop or anotherdevice for your banking or
other more sensitive tasks thatyou know.
You take more care of andconsideration around what
software and applications are onthat device, so that you're
(10:27):
kind of, I guess, a bit morestrict about what you put on
there.
You know what I mean.
So you try to keep it more barebones and you do your banking
there.
I know some people are moreextreme and go the opposite
direction and they don't doonline banking at all and I know
there's a group of folks thatdo that.
That's obviously it's a tradeoff, of convenience, right?
(10:47):
But yeah, you know, maybe notenable certain things with your
bank either.
You know there's differentsoftware or access type tools
that you can use to pay peopleeasily.
You know certain things thatyour account level you could
disable.
Obviously, use strong passwordsthat you're not reusing other
places.
Use multi factor authentication.
(11:08):
Obviously there's layers at anendpoint level that you should
have on your device itself.
Like I was mentioning thatsoftware that I was testing.
You know that encrypts yourkeystrokes, but not only
encrypts your keystrokes butblocks your camera and your
microphone and you know, havetechnology like XDR that if you
were to click on a bad link andmake a mistake, they would get
(11:31):
contained.
So there's different.
You know layers that you couldput in place to protect yourself
, but yeah, this one's aparticular nasty one.
Blake Rea (11:39):
Yeah, one thing that I would also suggest too, that I
didn't hear you touch I mean,you touched on it briefly, but
just be very, very weird of whatapps you're putting on your
phone.
And in this instance, you knowthey had an app, a malicious app
, in the app store.
The Google Play Store sorry,that kind of poses itself as a
legitimate app.
(12:00):
You know.
So I know we've all seen it.
When you're scrolling throughsocial media and you see like an
ad for like an interesting fungame or whatever, right, you
know be very weary of what appsyou download, right, and who
those developers are.
You know, because every app hasa developer listed.
(12:20):
So you know.
Of course you can do abackground, a little mini
background check on thosedevelopers.
Like you could type in thedeveloper name and then type in
like security or like exploitsor like malware.
You know like those two searchterms should yield something, or
(12:41):
hopefully nothing, right In thecase.
So don't go downloading a bunchof silly apps.
I know a lot of developers inthe past have.
There was this one I think wetalked about it on another
podcast, not to go too far offtrack, but it was one of these
like AI generator apps orsomething that was like making
(13:03):
In several.
Craig Petronella (13:04):
There was one that was back a long time ago
that we talked about as aflashlight app a free flashlight
app for your phone and it wasplagued with malware on it.
I mean years ago, when wepublished one, we, we did an
experiment and published an app,or I think it was a digital
magazine or something like that.
Anyway, when we did theresearch around that, we found
(13:25):
that there are so many maliciousapps out there that it was
pretty easy to get an appapproved with not only Google,
but with Apple too.
So the point is that there aremalicious apps on those stores
and you need to do your part andinvestigate.
What are you putting on yourphone or your device?
Do you trust this vendor Cause?
(13:46):
It's a risk question.
And then you know, like Blakesaid, you need to patch and
update these things too.
So the more stuff, the moresoftware, the more applications,
the more things that you add toyour device, the more your
maintenance has to increase,because you need to patch those
things, and not only thepatching of the operating system
, but all those applicationsthat you have on your systems.
(14:07):
You have to patch constantlyand make sure, because all it
takes is one of those to spy onyou in the background and
capture your keystrokes or yourcredentials, and that's how you
get hacked.
Blake Rea (14:17):
Yeah.
And then also, I mean you canlimit those apps that you do
have on your phone, like forexample again, you know I'm an
iPhone user, but I can go inhere and select the app that I
want and turn off differentpermissions, like I can turn off
access to a camera, access to amicrophone or access to the
location for that app.
So if you ever have any doubtsin your mind, you know go
(14:41):
explore the security featuresand functions of your phone and
make sure some of these appsthat you're not so sure about,
you know get them off your phone.
If you feel like you need to,of course, and if you feel like
you don't, or if you feel likeyou have some use for that
application, you know go in andlimit what data and what
(15:02):
controls it has over your phone.
What access permissions Superimportant, I would think.
Craig Petronella (15:07):
I think those are great tips.
I think, taking that a stepfurther, it's almost like doing
a self-assessment of your deviceor your phone or whatever
you're using, and just a checkup.
You know what apps are on here.
Do I know and trust them?
Have I done my own duediligence to investigate and
evaluate a risk?
But you know, the bottom linehere is, if you've got hundreds
(15:27):
of apps on your device, you justmade your job 100 times harder
because now you got to gothrough every single one.
So you may want to, if you.
I mean, an extreme approachwould be to start over and then
just put back on what you really.
You know, maybe use this is anexcuse maybe you've got an old
device and you want to upgrade,so maybe use that upgrade
(15:49):
process of instead of migratingall of your stuff over.
You start over.
I've often said you know,sometimes starting over is
better, because if you do theupgrade path and you dump all
the stuff over from the olddevice, you're moving everything
over, including anything thatcould be malicious as far as an
app goes, or corruption or anykind of data that could have a
(16:12):
problem in the future to slowyour device down.
So you know.
I know personally for me,whenever I upgrade or get it, I
always start over fresh, and Iknow that's more work and
annoying, but it also gives methe opportunity to go through
everything and make sure do Ireally need this app?
And, like I said before, I haveother devices that I'll use for
other things, so I won't dobanking on certain things.
(16:34):
So my point is that try tosimplify your life and keep it
simple.
Right, the Kiss principle.
It does have some validity.
Blake Rea (16:44):
Yeah, also be careful too, because in some of these
articles that we read kind ofunrelated but more you know.
Going back to your computer,right, like, be careful about
Chrome extensions.
You know Chrome extensions aswell, you know.
In this article that we read,they mentioned.
You know.
You know counterfeit, you knowtransactions and activity
(17:05):
happening through Chromeextensions, you know.
So just be careful out there.
Obviously we say that everypodcast, but you know, just know
what you're doing on theinternet.
You know, and if you're notsure, like, it's okay to ask for
help.
You know, I think we've.
Craig Petronella (17:21):
I want it located to not install, or
proceed and click next when youdon't fully understand what
you're agreeing to either andyou know, try to take a devil's
advocate, trustless approach.
You know what happens if thisapp can listen to me or turn on
my camera?
Am I in an environment at workwhere I'm talking about
sensitive topics?
(17:42):
That would be a problem if itwere captured.
Am I you know what I mean like?
Know your surroundings, knowyour device and make decisions
based on that too.
Blake Rea (17:52):
Yeah, I also think there's some software out there
too that has keyboardpermissions.
I don't think there's any appout there that should have any
permissions over your keyboardthat can log what you're typing
and where you're typing.
Craig Petronella (18:06):
Well, what's crazy is and I've talked about
this before is for Apple.
For example, you said you're anApple user.
You know I don't know if thisis still true or not, but when I
investigated it, the keyboard,the keystrokes that you type in
on your iPhone to like textmessage somebody for something
(18:26):
those keystrokes are stored in aplain text, unencrypted
database.
Blake Rea (18:35):
I'm not sure about that.
Craig Petronella (18:36):
Yeah, it used to be true.
I don't know, I'd have toinvestigate it again to see if
it still is true, but the pointwas that there could be a
malicious app on your phone,like the Flashlight app, that
can then interact with thatunencrypted password or
unencrypted keyboard filedatabase.
That's how they get all of yourinformation.
(18:57):
Now, this would be simple forApple, or maybe I'm
oversimplifying, but the pointis that in this context and in
this case, I would want Apple toencrypt that database.
I would want those keystrokesto be encrypted.
Anyway, my point is that takinga trustless approach as the
consumer, if that's important toyou, that you don't want your
(19:19):
keystrokes to be captured bysome app that you're not aware
of, well, consider adding inkeystroke encryption to your
device.
Then what happens?
There is again taking thattrustless approach, even if this
is no longer an issue.
Let's say Apple patched it.
Let's say Apple now encryptstheir keyboard.
I don't know if they do or not.
(19:41):
I'd have to, like I said, butlet's say they do.
You use that other layer?
Well, what's that hurting?
You're double-encrypting, okay.
Well, what if there was someexploit or something that
reversed it?
At least?
Again, it goes back to thelayers If you did your part and
you encrypted your informationand then there was a breach or
(20:02):
something happened, well thenthey got scrambled data so they
didn't technically breach it.
That's what I'm getting at asfar as the layers go.
The same thing like when you'reusing plaintext email or you're
using Gmail or something andyou don't have encryption.
You could add for veryinexpensive, sometimes free
encryption on top of that tothen add that extra layer of
(20:26):
protection.
There's things that we all cando, and that's my point.
We should be doing orimplementing as many layers as
possible to protect ourselves.
I think that's generally goingto be a good thing and go in the
right direction.
Blake Rea (20:43):
Yeah, there's no simple approach to security.
There's no one shoe fits.
There's always constantassessments that have to happen.
Evaluations, Obviously, itcomes back to the human
principle.
Are you doing enough?
(21:05):
We've talked before about a lotof the hacks and exposures
happened from a human element.
Ironically, I don't know.
We talked about the lastpodcast, Caesars MGM.
(21:26):
Did you hear about how thatactually happened?
They actually found out how ithappened.
Go ahead.
The kids that were hacking themwere apparently super young.
They were anywhere from 16 to20-year-old kids.
What they did was they went onan info website and they found
(21:47):
an executive.
They also went to one of thehelp desks, or they called the
help desk and said hey, my nameis executive, I'm locked out of
my account, Like will you resetmy email password or reset my
password or whatever.
It was that simple.
Craig Petronella (22:08):
So social engineering at its best.
Blake Rea (22:11):
Right, yeah, it was that simple.
There's nothing sophisticatedabout 20-year-old kids calling
to help desks for this casinoand chitting the password.
So, yeah, I mean people like tobe trustworthy.
It's a character trait thatpeople like to possess.
(22:36):
People like to be trustworthy.
People like to take things atface value, because some people
they ignore the bad things thatgo on in this world because they
live in a bubble, I guess isthe easy way to say it.
But people like to betrustworthy, people like to feel
(22:57):
like they're being honest topeople and they feel like they
get back what they give out inthe world.
It's pretty common, but sosomebody just in their mind,
trying to do the right thinghelp this executive out ended up
being the wrong thing.
Craig Petronella (23:15):
Yeah.
So it goes back to what I'vesaid before many, many, many
times.
If you're in that position,you're that help desk agent.
Just pick up the phone and callthe executive.
Blake Rea (23:26):
Yeah, call, or just have policies in place that you
know.
Okay, I'll reset your password.
It has to go back to your email, right, yeah?
Craig Petronella (23:34):
But it goes back to what's the saying Trust,
don't trust, verify.
So never assume that thisperson on the other end of the
phone is who they say they are.
Verify it.
How do you get them to provethey're who they are?
I have said with your cellphone providers everyone
listening should have a pinnumber with their mobile carrier
(23:57):
to prevent SIM swap attacks.
Sim swap attacks are stillcommonplace now.
Don't use your phone number toget one-time pins to certain
things.
Now, I know in certainsituations it's unavoidable.
It's kind of comical to me wherebanks often are the ones that
you think of a bank or at leastfor me, you think of a bank as
(24:20):
bank encryption or bank gradesecurity.
You think banks should have thebest right, right, but in
working with banks I'm no blank,in working with banks.
I'm reminding him of a story,of a test we did.
Oh God, it's not true.
It's just don't assume againthat your bank has got the best
(24:42):
security, because they don't.
I'm not going to call out asingle bank, but I'm just saying
that again, don't trust thatyour provider, your company,
your vendor is providing you andprotecting everything.
Verify it, get them to prove itand do your own part.
Like I said when I was goingwith this little tangent was
(25:03):
that certain websites, certainbanks they force you to use the
text SMS, unencrypted, one-timepassword to your phone.
They don't use a more secureauthenticator app, for example.
So I get it.
I know that you have to use itin certain situations, but try
to limit it.
If you have the option to notuse text for one-time pins, use
(25:27):
the software that's much moresecure and add additional pins
and security with your mobileprovider to prevent a SIM swap
attack.
Because now, with banks andcrypto and everything else, we
do so much on our mobile devices, we depend so much on our
mobile phone number.
You've got to do what you canto protect it.
(25:48):
Because, just like with thatstory that Blake shared, it's
often the same story with theSIM swap.
Oh, I'm in a bad spot, I lostmy phone, I need you to send me
a new SIM or help me move myphone.
And that's how SIM swap attackshappen the hackers.
They persuade in socialengineer, the rapid, the mobile
carrier, to do something withthe phone number and then, guess
(26:12):
what?
They just activated thehacker's phone and now they have
access to all your pins.
So then they go a step furtherand then they keep going through
the layers.
So just try to be smart andimplement as many layers as you
can.
Blake Rea (26:29):
Yeah, the human element is really important to
any attempted breach.
I remember one.
There was one that was going onFacebook and me personally.
I know this is probably theworst thing to say publicly, but
I like to mess with people whotry and mess with me.
So somebody had sent me amessage saying oh, I'm locked
(26:51):
out of.
I need help resetting mypassword.
It was like a Facebook messageor something, something silly.
I need help resetting mypassword.
I'm like I don't know you.
How am I going to help you withsuch a password?
Oh, facebook told me to contactyou.
They gave me a little list ofpictures of people to click and
you were one of them.
It's like oh, ok.
And then they're like can youprovide me the six digit code
(27:15):
that just went to your phone?
And I mean pretty much thewhole time.
I mean I was just giving themfake, fake six digit numbers and
pretending like oh, my God, Iwant to help you.
You know like I'm sorry, I liketo troll people that troll me.
So we literally tried for likehours, like I just kept giving
them no, I don't know why it'snot working.
(27:36):
Like this is the number thatI'm getting texted, you know.
And then eventually they justgave up.
Right, you know there's a humanelement.
Right, that has to happen inalmost every attempted intrusion
, you know.
So, don't be that human element, you know?
I mean if something is weird.
Craig Petronella (27:55):
Back to the training and testing that we've
always talked about.
You just constantly have totrain and test your people and
yourself so that you get intothat muscle memory and that that
just that reaction is again set.
I know what you're saying,blake.
I mean it's human nature andpsychology to want to help
people and I think they and itdoes go against the grain and
(28:18):
the psychology of your kind ofyour roots, right, your, your
DNA but you have to train andtest and drill yourself to
protect yourself and your, yourbank is not not going to ask you
in an email to give you yoursocial security number or pin
number or something Right?
So be very cautious and alwaysagain verify.
(28:40):
Don't immediately trust thatwhoever's on the other end is
who they say they are, and doyour part, because the more you
do your part, the less likelyyou are to become a victim.
Blake Rea (28:53):
Yeah, yeah.
And at that, at that point Imean there's a lot more on the
line right, like if you do thewrong thing, if you open up your
company to some huge exploit orsome attack, I mean who knows
what could happen.
You know your, your livelihoodis at stake.
At that point, if you know youopen a door that look at look at
(29:15):
that from a business ownerperspective.
Craig Petronella (29:17):
Let's say you're a small business and
you're you're working withsensitive information.
Or let's say you're a medicalcompany.
You know, I heard on the newsearlier today the Lazarus group
the people responsible for thecasino hack they are are
basically hoarding andcollecting cryptocurrency and
(29:38):
their next projected victim isthe healthcare industry
hospitals, medical.
You know they're going afterthem for ransomware and
ransomware payments so that theycan hoard more Bitcoin and more
and more crypto.
My point is that you know wejust have to go through the
exercises and keep drilling thisstuff into the human side of
(30:00):
things to prevent that malwarefrom being able to be dropped.
You know, I know we're all busyand everybody's working
multiple hats and multiple jobs,but you could have the best
security and if you you're humanside, you know it goes back to
people, process and technology.
We've talked about this.
If your people are not trainedand they hand over the keys to
(30:22):
the bad guys, well, I mean,there's only so much the
technology leg of the stool cando, right.
I mean, yeah, you can rely onXTR and hope that that's, you
know, contained and.
But there could be more socialengineering and impersonation
that can happen to furtherdeepen the hack, right?
(30:44):
So, like you know, like if youpicture you're on the other side
and you're the bad guy, you'rethe hacker.
If you do something and itdoesn't work, you shift gears to
do something else, or maybe theperson you're talking to is too
well versed and trained, so youfind another victim and you
look, you look through socialengineering, social networks and
(31:06):
LinkedIn and Facebook, and youfind another executive that you
can prey on and see if thatperson, he or she, is going to
fall back.
So my point is that these, thesehackers nowadays are it's their
day job to do this stuff.
You know, they're the ones thatare, like you said, they were
kids, they're younger, 16 to 20,you know, they may be in a
(31:27):
country that is a poorer country, and this is this is what they
do for work.
They're actually in the States,okay, so so they're in the
States and they're doing thisfor work.
You know they're getting paid.
You know, I, I, I remember whenwe were looking, we're
researching the MGM hack lastweek.
It's just, it's crazy how it's.
(31:49):
It's become like a businessmodel, and there's also a
business model for basicallytaking down your, your
competitor too, like you couldbuy like ransomware kits online
and try to you know, just pummelyour.
Yeah 商一直 안.
It's a nasty place out there.
Blake Rea (32:11):
It is weird to think that little Johnny on your son's
soccer team may be taking downcorporate yeah, fortune 50
companies.
Here with millions in bitcoinsis hanging out.
Craig Petronella (32:28):
If your company isn't training and
testing your folks and doingthese tabletop exercises and
these pen tests, if you're notpaying the money and investing
in your company, all it takes isone person on your staff to
make a mistake.
If you think about that, ifyou're 10 people, you have to
train those 10 people.
(32:49):
It's your responsibility as theowner to provide the training
and the security controls toprotect your systems.
The more sensitive theinformation you have to protect,
the more at risk you have.
If you think about it, ifyou're a small company and your
secret sauce is really howyou're surviving, because if
competition had all of yoursecrets and intellectual
(33:09):
property, what else do you haveother than price to compete on?
If somebody on your team isn'ttrained and hands over all your
intellectual property to acompetitor or to a bad actor
group who sells it to acompetitor, my point is that
your survival as a smallbusiness is limited.
Think about if you're 100people or 1,000 people or 10,000
(33:33):
people.
You're larger companies.
Now you just exponentiallyamplified your risk factor
because now you got 10,000 orhowever many employees.
You have to make sure theydon't do the wrong thing.
It gets really complicatedreally fast.
Blake Rea (33:52):
Yeah, just stay alert out there.
Stay alert, Trust.
Nobody trust nothing when itcomes to your personal
information, data, your keys toyour castle.
If it seems weird, if it seemsodd, there's a reason why.
Craig Petronella (34:18):
usually, yeah, and going back to the consumer
level or the personal level, themore you listen and implement
these layers, the more not onlyunhackable you become, but you
become more unhackable at apersonal level too.
(34:39):
What I mean by that is, let'ssay, something happens with a
skimmer at a gas station andthey try to steal your identity.
If you have more protectionsaround your identity and you
have monitoring, you're lesslikely to become an identity
theft victim.
My point is that, like Blakewas saying earlier, you have to
(35:01):
think about all the software andall these different things on
your computing devices, but youalso have to think about it on
other areas, like your car andwhat gas station you go to.
You know what I mean.
You have to look at all thisstuff.
Blake Rea (35:19):
I've seen those little pictures or videos on the
internet of people lifting upthe keypads on the card readers
that are literally one-for-oneclones of the text, as like new
fear unlocked.
Every time I go to a gasstation I'm trying to rip the
keypad off.
Craig Petronella (35:40):
Some of them have a sticker like oh, it's
tamper proof, it's got theorange sticker or whatever.
But again, you have to do.
You think that somebody couldbuy an orange sticker on Amazon
or somewhere and put thatsticker there?
My point is trust no one.
You've got to protect yourself.
Then I think some people areprobably listening and they're
like oh, I'm just going to notworry about that, I'm going to
(36:04):
rely on my credit card companyto protect myself.
And yeah, the credit cardcompany may have like an
anti-fraud kind of guaranteewhere you're not responsible for
that.
But I'm not talking about justthat transaction, I'm talking
about the after effects ofidentity theft that could happen
from that event.
So it's not only where do youfrequent, where do you get gas,
(36:28):
it's who you do business with ata personal as well as a
business level and limit theamount of information you share
and demand privacy and security.
If a vendor or somebody you'redoing business with on a
personal or a business levelsays, hey, I need you to fill
out this paperwork and you seethis paperwork and it looks
(36:49):
sensitive to you, meaning youdon't want some of this
information just blatantly onthe internet about you or your
business or whatever.
Push back and say, look, howare you securing this
information for me?
And if they're saying, oh, justemail it back to me.
No, push back, email's notsecure.
Why would you send all thisinformation?
(37:09):
First of all, push back on whythey even need the information
and push back on the methodologyaround how you send it to them,
and then also push back on whatare they doing to ensure your
protection and your privacy andyour security.
Because if they don't have goodanswers to those questions and
they don't, in my mind, scorewell, then think again about
whether you should do businesswith them, because if they don't
(37:31):
have your best interest atheart, well, that's another risk
factor for you to get breachedinformation.
Blake Rea (37:40):
I also think, going back to financial institutions,
I think these financialinstitutions just know your
credit card information isprobably likely already in a
data leak, whether it's thiscompany, that company, whatever
and the way that they'vecombated that pretty recently is
(38:01):
implementing the lockingfeatures on your card, where you
lock your card after use, andthat's something that I
personally do.
Craig Petronella (38:13):
You can call it freezing right, so you could
freeze your card, yeah freezeyour card.
Blake Rea (38:17):
I literally will do that for every single one of my
cards.
I will literally be that guy inline holding up the line.
Hold on, let me unlock my card.
Sorry for anybody who's behindme, but it's a scary world and a
lot of times, when they buythis information through the
(38:38):
dark web or whatever, they'lljust go through a list of them
and then, if it's declined,they'll delete it.
If it's declined, they'lldelete it.
Oh, and then this one worksright.
Okay, cool, let's hang on tothis one.
Craig Petronella (38:54):
So you made me think of something.
Have you heard about thesecurity flaws around Hyundai
and Kia vehicles?
Blake Rea (39:02):
No, but my dad has a Kia, so I'm curious.
Craig Petronella (39:06):
I think Tesla is somewhat affected too.
So I was reading some securityinformation I think it was a day
or two ago and they were sayingthat the security is so bad
with and these this includesbrand new Kia and Hyundai
vehicles too.
The security is so bad with the, the lack of encryption with
(39:29):
their key fobs and things likethat that car thieves.
It's not just like single digitpercentage increases of thefts,
it's like exponential in thehundreds of percentages of how
easy car thefts in those brandsare occurring right now.
And if you think about that asa consumer, you know you might
(39:50):
really like one of thosevehicles that you know.
Maybe they're, it's a goodprice, or maybe you feel it's
good value, and they may be true.
But again, as a consumer youhave to think about well, if I
buy this car or truck orwhatever it is, I'm now trusting
that company to keep me safe inmy vehicle.
Or if I go to a restaurant orwherever and you know, a few
(40:14):
years ago I never would havethought like, oh, you know, my
vehicle is going to get stolenor whatever I pretty much trust
that my vendor and my key fob is, you know, I lock my doors and
stuff and you feel like you'vedone your part right.
Well, when I read this article,I was like, oh my goodness, I'm
like.
You know, you can have thisbrand new car and you can lock
it and wherever and it's justlike child's play for thieves to
(40:37):
not only steal the contentsinside the car if you've got
packages or whatever in there or, god forbid, you're in medical
and you've got a laptop in thereand you lock it.
You thought you did good, youlocked it up or whatever, but
for whatever reason, you didn'tencrypt it or do the other
layers again right, that we'retalking about and that thing
gets out there.
(40:57):
Well now, not only did youtrust that vendor, in this case
Kia and Hyundai, but now yousuffered a breach because of
their lack of security, right?
So that's what I'm saying.
Like, think about this at apersonal level, where, what if
my car can get opened from someadversary and I've got stuff in
(41:19):
there?
What am I doing to protect notonly my stuff, but what am I
doing to protect my car?
Are there additional thingsthat I can do to protect myself?
You see what I'm saying.
So it's just kind of a weirdworld.
But yeah, I think we need topush back on the dealerships and
on the car manufacturers like,look, I really like this car, I
(41:40):
would buy this car.
But here's the latest headlinesand this is like the number one
and they're not getting thesecars back.
By the way, they're likethey're going to chop houses and
they're divvying these cars upand selling them for parts and
stuff.
And one extreme could be at theconsumer level.
Oh well, that's why I haveinsurance and that's they're
going to give me.
And, yeah, that might be anoption as far as depending on
(42:02):
your coverage and things likethat.
But that's not the point.
The point is that we need to domore as consumers to push
pressure on our vendors and whowe buy products from and
services from to take oursecurity and take it more
seriously and do better toprotect us.
Blake Rea (42:20):
Yeah, I mean 100% agreed.
And then you know we've talkedabout this and hopped on this a
lot, but the human element, youknow, again, like I think I read
an article somewhere that theinstance of car break-ins
increased because of, you know,somebody looking into the car
(42:41):
and seeing a purse or a backpackor a box you know an Amazon box
, or so you know something thatyou can do that takes zero
effort really is if you're goinginto the grocery store and
you're like, oh, let's me leavemy work laptop, my work backpack
here, you know you just got offwork, boom, it's in the back
(43:02):
seat.
Put that in your trunk.
You know, I know that soundsreally simple, but you know, if
somebody who's getting ready tobreak into your car looks into
your car through the windowbecause they're just not going
to go oh that's a, you knowthat's an Audi, or oh that's a
BMW or Mercedes Boom, smash.
You know, like, doesn't work.
(43:22):
Like that.
They look into your car and seewhat they're going to get access
to if they're not deciding totake your car and, like Craig
said, to a chop shop and youknow, get in and do the entire
car jacking.
That's a lot of work andthere's a lot of risk.
You know it's easy for themjust to knock the window out and
grab your your bag, right?
That's a lot easier and it's,you know, a lot less sketchy,
(43:47):
right, because then they have totransport that vehicle to the
chop shop when you just reportedit missing, right?
So there's a lot more addedrisk, but something as simple as
putting those things in yourtrunk and keeping your car clean
, you know with no visibility.
Craig Petronella (44:02):
I would agree with that.
The only part that I wouldn'tagree with is don't put a laptop
in the trunk and let, like youknow, if you've got it end to
end encrypted and you're reallycertain that you feel that that
laptop has enough safeguards.
Do an experiment and just handit to somebody and just kind of
think that if you were to handthis to somebody, do you feel
(44:23):
that everything is protectedwell enough that you won't
suffer a breach?
Obviously, put your, yourvaluables and things like that
out of out of sight.
Put them in the trunk, yeah.
Blake Rea (44:32):
Carry them, carry them with you, you know.
Yeah, the whole point I wastrying to make is just get them
out of, get them out of vision,get them out of sight.
Yeah, don't leave that sittingin the front seat.
Craig Petronella (44:44):
I think the other part that's more alarming,
though, is that you can or abad actor can buy these
repeaters to legitimately repeatthe signal from your your key
fob and open your door.
So it's not a matter of theybreak the window as often
anymore.
This is more higher level crime, where they're buying
(45:04):
electronic devices to thenrepeat the signal, either bounce
it off from your valid key fobin the restaurant If it's not
far enough away.
So that's why we talked aboutFaraday bags and protecting your
keys and using RFID protectionsaround your wallets and things
like that.
Now, again, I mean yeah, itgoes back to layers, but I don't
know if everybody wants tocarry a Faraday bag with them.
(45:26):
Maybe it boils down to layers,like we talked about.
What do you, what do you wantto do to make it more difficult
and what are you willing to doit?
So you're willing to go to tryto make yourself as unhackable
as possible.
Blake Rea (45:41):
Yeah, and those repeaters are cheap $125 on
Amazon.
They're not illegal to owneither.
So, you know, that's, that'scrazy.
So they were selling them atDEF CON.
Craig Petronella (45:53):
Yeah, I think you can get a Faraday bag for 15
, 20 bucks on Amazon.
So yeah, you know, as anexperiment for homework for
listeners, you can try do anexperiment.
Get one of the repeaters, buy a$15, $20 Faraday bag and see if
you can get it to work on yourown vehicle.
You know that'd be a prettyinexpensive experiment to do on
(46:15):
yourself to see if you see howmuch at risk you are.
Blake Rea (46:20):
Yeah, yeah, absolutely.
I mean, don't make it easy,don't make yourself the target,
you know, because if you're thelow hanging fruit, you know
these people have to eat.
Craig Petronella (46:33):
Yeah, and then you know, consider some type of
camera or recording device onyour vehicle.
You know I know they make dashcams now that go both.
They have two cameras, oneinside, one outside.
You know you can considersomething like that.
But, yeah, the more, the morestuff you have from a security
(46:53):
perspective, more layers you putinto place, the more evidence
you can collect that, god forbid, something does happen.
You know, then you've got morestuff to catch the criminal.
Blake Rea (47:04):
Yeah, I've seen some of these apps now, some of these
car apps for the new moderncars.
Like you can lock the car fromyour phone and then it'll also
tell you, you know, if youralarm's going off, like, oh,
like my car, you know, somebodyjust opened the car door and the
alarm went off, or tried toopen the car door, you know.
And then there's a button thatsays, like you know, press.
(47:25):
You know, call 911, orsomething.
Like you know, they're gettingup there trying to make these
things more helpful to you, butjust be careful out there, you
know.
Craig Petronella (47:35):
Yeah, absolutely.
Blake Rea (47:38):
Well, I think we went a little off topic, but we
still had some good information.
Craig Petronella (47:42):
Yeah, agreed.
Well, stay tuned for our nextepisode.
We'll have another one for nextweek and maybe we'll do a short
in the meantime.
Blake Rea (47:49):
Yeah, yeah, all right , take care, bye.
All right, welcome to another episode.
We've got Blake Gray with us.
Blake Rea (00:10):
Yeah, we're here again.
We're showing up.
Craig Petronella (00:14):
All right, we're back on track.
Yeah yeah, one of the things wewanted to talk about today is
the Xenomorph banking Trojan,which is specifically affecting
Android users.
Right yeah, that's correct.
This new variant is targetingover 35 different financial
(00:37):
banking institutions.
Pretty nasty malware.
Looks like it's supported by anation state or I don't know
about that.
Blake Rea (00:50):
They also did say that it was also affecting
certain crypto wallets, whichwas interesting to me.
Craig Petronella (00:56):
Yeah, they're basically after credentials
access, balance information,initiate transactions, obtain
MFA tokens from authenticatorapps and perform fund transfers.
Blake Rea (01:12):
Hmm, interesting.
It did say that it was onlyaffecting Android 13.
So I'm not an Android user, butI don't know where they are in
terms of the Android updates.
I mean, I always recommendpeople just update immediately.
(01:33):
Check your phone every week atleast for updates, but I'm
curious to see where they are inthe Android update pipeline.
Craig Petronella (01:44):
Yeah, I think this goes back to one of my
recommendations a long time agois whenever doing banking or
crypto transfers or somethinglike that, make sure your device
is security gardens.
You want to make sure you'reall updated and patched.
Ideally, you do not want to usethe same device that you have
maybe a bazillion kids apps onthat.
(02:05):
You may not know the securityof all those apps.
So you want to try.
I know it's hard, but try touse a more secure device that
doesn't have much on it to dothese things.
Use a desktop.
Make sure your OS is patched inyour desktop.
Whether you're a Mac or aWindows user, same applies, but
(02:27):
it seems like Android's beenreally getting a lot of malware
recently.
Blake Rea (02:33):
Yeah, I mean, I've never really trusted Android
personally.
I don't know why, Maybe it'sjust a subconscious thing.
As an Apple user, I've alwaysknown Apple devices to be pretty
security focused.
So they are on Android 14 now,so this is for people that are
using last generation of Androidoperating systems.
(02:55):
But yeah, so I've just neverreally been a big fan of Android
and maybe I could be mistaken,but it just seems like they have
more security issues than iOSdevices.
Craig Petronella (03:13):
Yeah, well, you know iOS has had some zero
days recently, in the past fewweeks too.
So I mean, I feel like it'skind of pick your poison.
You know, obviously nothing isfoolproof, but I do think Apple
is doing a pretty good job ofprivacy and security.
I think that their job is alittle easier because they're
(03:35):
engineering the hardware and thesoftware.
You know I talked about thistoo, where Microsoft or Android,
for example, you got all thesedifferent hardware manufacturers
that have to make theirhardware up to a certain
standard.
There might be some variancesthere.
There might be some securityflaws in the hardware itself
that you may not know about.
That can contribute to problems.
(03:55):
I know a long time ago there wasI don't know if you remember
this, blake there wasspeculation around computer
hardware chips that, at thehardware level, could be spying
on people.
Do you remember Now?
Yeah, I remember that, gosh,I'll have to dig it up and find
it.
(04:16):
But there's you know I'veactually talked about this a
long time ago as well where youknow we trust, as consumers and
people, especially brand nameslike household names like Google
, right, and Apple.
You know these companies usereally large marketing budgets
(04:37):
and branding campaigns, and youknow.
Most of us, I would say,probably trust these companies
to use their products andservices.
And my point is that you don'tknow if you're not buying
something like Apple, whereApple is manufacturing the
hardware and the software.
But even with Apple, you don'treally know.
(04:58):
You know they're off shoringthe building.
You don't really know, like,what happens at the factory
level.
Right, I mean, who knows what?
You know what I mean, right?
So my point is that we talk alot about employee training and
testing and drilling, and I'mnot insinuating that something
bad is happening.
I'm just saying, like, how dowe know, right?
(05:20):
I mean, how do you know that ina factory you've got hundreds
or maybe thousands of workersand robots and all sorts of
stuff happening where they'reputting these chips in these
devices?
How do you really know if achip doesn't have some kind of
backdoor in it?
Right, you know.
So it's we talked about.
You know the internet and TCPIP and and how.
(05:44):
Tcp IP by nature is not reallya great secure internet protocol
tool for the internet, right?
So we've put all these layerson top of it, like encryption
and SSL certificates and allthis stuff to kind of patch it
up and bubblegum and duct tapeit right, but it's not secure
out of the gate and you know itgoes back to the layers that we
(06:05):
talked about.
But what do you do if there's achip in in something?
That I mean that you don't knowabout?
But right, I mean, I mean ifyou just take a minute to think
about that, I mean there couldbe a chip inside of your iPhone
or your Android device and howdo you really know that there's
not something happening?
(06:26):
You know, I know there's oneproduct that came out from one
of our partners where they theyencrypt the keystrokes on the
device.
This is a desktop softwareapplication, but they also tell
you when a certain applicationis listening to you through your
microphone or trying to captureyour screen.
(06:46):
And I have to say you know, inevaluating their product, it's
really alarming to see bigbrands like Adobe, microsoft
just common names wanting accessto your microphone or your
camera.
I mean like when you're lookingat a PDF or like a Word
document, like Like locationsettings too, like what's the
(07:07):
point?
Yeah, but I mean like these,nobody really.
I'm sure most I can't saynobody, but I would say most
people don't really read thedetailed terms and conditions of
all the rights that thesesoftware programs can have.
But I thought it was quitealarming to see that, hey, adobe
wants to capture your screenand listen through your
(07:28):
microphone when I'm looking at aPDF.
You know like what.
You know what I mean.
I think that's pretty crazy.
Blake Rea (07:35):
Yeah, and they, it seems like they all kind of spin
it in the form of like hey, wewant to better your user
experience.
Yeah, that's like okay, youknow, I mean I get maybe to a
degree like capturing the screenand saying like, oh okay, well,
people are trying to click herefor this tool or click there
(07:56):
for that tool, or maybe they'regetting stuck in certain parts
of the user interface, right,Totally to a degree
understandable.
But I mean, is it reallyacceptable?
You know, yeah, I don't knowhow I feel about that personally
.
Craig Petronella (08:17):
So yeah, I mean going back to this malware.
I think maybe some of ourlisteners were like you know?
Like what do we do?
You know?
Everything's kind of doom andgloom, right.
I think the really the takeawayis that with a bank I mean as
long as you have a certainamount of funds that don't
exceed the $250,000 limit you'reprotected by FDIC insurance.
(08:40):
So in the event that somethinghappens bad, you've got that
insurance lay.
I'm not saying to bank on that,I'm not saying that, you know,
maybe one day you'll get yourmoney and hurry up and wait in
line, kind of thing.
Obviously, you have to take yourown security measures into
place, but I think it goes backto making sure you're using a
(09:01):
secure device, trying not totype in the URLs.
You know, use a passwordmanager, save your bank
information.
It would encrypted drive.
Ideally, don't store it on yourcomputer at all if you can, but
as far as like the URL or thewebsite of the bank, store that
in the password manager and oryour favorites, or you know,
(09:23):
don't type it in because you canfat finger it.
And that's what the hackers arebanking on.
They're trying to registerthese domains that are often fat
fingered and that's how you getphishing or malware on your
computer and then in turn deploysome type of bad software like
this one here.
But this one's pretty rampanton the Android devices.
(09:45):
So maybe the you know, like yousaid, like you know, this is
targeting the older version, soobviously it goes with.
Obviously make sure you updateand patch your Android devices.
But you know, again, it goesback to the layers that we
talked about.
So patching is a layer.
You know your device, how touse that device, for who you're
(10:07):
sharing it with, what otherapplications are on that device.
Try to use a desktop or anotherdevice for your banking or
other more sensitive tasks thatyou know.
You take more care of andconsideration around what
software and applications are onthat device, so that you're
(10:27):
kind of, I guess, a bit morestrict about what you put on
there.
You know what I mean.
So you try to keep it more barebones and you do your banking
there.
I know some people are moreextreme and go the opposite
direction and they don't doonline banking at all and I know
there's a group of folks thatdo that.
That's obviously it's a tradeoff, of convenience, right?
(10:47):
But yeah, you know, maybe notenable certain things with your
bank either.
You know there's differentsoftware or access type tools
that you can use to pay peopleeasily.
You know certain things thatyour account level you could
disable.
Obviously, use strong passwordsthat you're not reusing other
places.
Use multi factor authentication.
(11:08):
Obviously there's layers at anendpoint level that you should
have on your device itself.
Like I was mentioning thatsoftware that I was testing.
You know that encrypts yourkeystrokes, but not only
encrypts your keystrokes butblocks your camera and your
microphone and you know, havetechnology like XDR that if you
were to click on a bad link andmake a mistake, they would get
(11:31):
contained.
So there's different.
You know layers that you couldput in place to protect yourself
, but yeah, this one's aparticular nasty one.
Blake Rea (11:39):
Yeah, one thing that I would also suggest too, that I
didn't hear you touch I mean,you touched on it briefly, but
just be very, very weird of whatapps you're putting on your
phone.
And in this instance, you knowthey had an app, a malicious app
, in the app store.
The Google Play Store sorry,that kind of poses itself as a
legitimate app.
(12:00):
You know.
So I know we've all seen it.
When you're scrolling throughsocial media and you see like an
ad for like an interesting fungame or whatever, right, you
know be very weary of what appsyou download, right, and who
those developers are.
You know, because every app hasa developer listed.
(12:20):
So you know.
Of course you can do abackground, a little mini
background check on thosedevelopers.
Like you could type in thedeveloper name and then type in
like security or like exploitsor like malware.
You know like those two searchterms should yield something, or
(12:41):
hopefully nothing, right In thecase.
So don't go downloading a bunchof silly apps.
I know a lot of developers inthe past have.
There was this one I think wetalked about it on another
podcast, not to go too far offtrack, but it was one of these
like AI generator apps orsomething that was like making
(13:03):
In several.
Craig Petronella (13:04):
There was one that was back a long time ago
that we talked about as aflashlight app a free flashlight
app for your phone and it wasplagued with malware on it.
I mean years ago, when wepublished one, we, we did an
experiment and published an app,or I think it was a digital
magazine or something like that.
Anyway, when we did theresearch around that, we found
(13:25):
that there are so many maliciousapps out there that it was
pretty easy to get an appapproved with not only Google,
but with Apple too.
So the point is that there aremalicious apps on those stores
and you need to do your part andinvestigate.
What are you putting on yourphone or your device?
Do you trust this vendor Cause?
(13:46):
It's a risk question.
And then you know, like Blakesaid, you need to patch and
update these things too.
So the more stuff, the moresoftware, the more applications,
the more things that you add toyour device, the more your
maintenance has to increase,because you need to patch those
things, and not only thepatching of the operating system
, but all those applicationsthat you have on your systems.
(14:07):
You have to patch constantlyand make sure, because all it
takes is one of those to spy onyou in the background and
capture your keystrokes or yourcredentials, and that's how you
get hacked.
Blake Rea (14:17):
Yeah.
And then also, I mean you canlimit those apps that you do
have on your phone, like forexample again, you know I'm an
iPhone user, but I can go inhere and select the app that I
want and turn off differentpermissions, like I can turn off
access to a camera, access to amicrophone or access to the
location for that app.
So if you ever have any doubtsin your mind, you know go
(14:41):
explore the security featuresand functions of your phone and
make sure some of these appsthat you're not so sure about,
you know get them off your phone.
If you feel like you need to,of course, and if you feel like
you don't, or if you feel likeyou have some use for that
application, you know go in andlimit what data and what
(15:02):
controls it has over your phone.
What access permissions Superimportant, I would think.
Craig Petronella (15:07):
I think those are great tips.
I think, taking that a stepfurther, it's almost like doing
a self-assessment of your deviceor your phone or whatever
you're using, and just a checkup.
You know what apps are on here.
Do I know and trust them?
Have I done my own duediligence to investigate and
evaluate a risk?
But you know, the bottom linehere is, if you've got hundreds
(15:27):
of apps on your device, you justmade your job 100 times harder
because now you got to gothrough every single one.
So you may want to, if you.
I mean, an extreme approachwould be to start over and then
just put back on what you really.
You know, maybe use this is anexcuse maybe you've got an old
device and you want to upgrade,so maybe use that upgrade
(15:49):
process of instead of migratingall of your stuff over.
You start over.
I've often said you know,sometimes starting over is
better, because if you do theupgrade path and you dump all
the stuff over from the olddevice, you're moving everything
over, including anything thatcould be malicious as far as an
app goes, or corruption or anykind of data that could have a
(16:12):
problem in the future to slowyour device down.
So you know.
I know personally for me,whenever I upgrade or get it, I
always start over fresh, and Iknow that's more work and
annoying, but it also gives methe opportunity to go through
everything and make sure do Ireally need this app?
And, like I said before, I haveother devices that I'll use for
other things, so I won't dobanking on certain things.
(16:34):
So my point is that try tosimplify your life and keep it
simple.
Right, the Kiss principle.
It does have some validity.
Blake Rea (16:44):
Yeah, also be careful too, because in some of these
articles that we read kind ofunrelated but more you know.
Going back to your computer,right, like, be careful about
Chrome extensions.
You know Chrome extensions aswell, you know.
In this article that we read,they mentioned.
You know.
You know counterfeit, you knowtransactions and activity
(17:05):
happening through Chromeextensions, you know.
So just be careful out there.
Obviously we say that everypodcast, but you know, just know
what you're doing on theinternet.
You know, and if you're notsure, like, it's okay to ask for
help.
You know, I think we've.
Craig Petronella (17:21):
I want it located to not install, or
proceed and click next when youdon't fully understand what
you're agreeing to either andyou know, try to take a devil's
advocate, trustless approach.
You know what happens if thisapp can listen to me or turn on
my camera?
Am I in an environment at workwhere I'm talking about
sensitive topics?
(17:42):
That would be a problem if itwere captured.
Am I you know what I mean like?
Know your surroundings, knowyour device and make decisions
based on that too.
Blake Rea (17:52):
Yeah, I also think there's some software out there
too that has keyboardpermissions.
I don't think there's any appout there that should have any
permissions over your keyboardthat can log what you're typing
and where you're typing.
Craig Petronella (18:06):
Well, what's crazy is and I've talked about
this before is for Apple.
For example, you said you're anApple user.
You know I don't know if thisis still true or not, but when I
investigated it, the keyboard,the keystrokes that you type in
on your iPhone to like textmessage somebody for something
(18:26):
those keystrokes are stored in aplain text, unencrypted
database.
Blake Rea (18:35):
I'm not sure about that.
Craig Petronella (18:36):
Yeah, it used to be true.
I don't know, I'd have toinvestigate it again to see if
it still is true, but the pointwas that there could be a
malicious app on your phone,like the Flashlight app, that
can then interact with thatunencrypted password or
unencrypted keyboard filedatabase.
That's how they get all of yourinformation.
(18:57):
Now, this would be simple forApple, or maybe I'm
oversimplifying, but the pointis that in this context and in
this case, I would want Apple toencrypt that database.
I would want those keystrokesto be encrypted.
Anyway, my point is that takinga trustless approach as the
consumer, if that's important toyou, that you don't want your
(19:19):
keystrokes to be captured bysome app that you're not aware
of, well, consider adding inkeystroke encryption to your
device.
Then what happens?
There is again taking thattrustless approach, even if this
is no longer an issue.
Let's say Apple patched it.
Let's say Apple now encryptstheir keyboard.
I don't know if they do or not.
(19:41):
I'd have to, like I said, butlet's say they do.
You use that other layer?
Well, what's that hurting?
You're double-encrypting, okay.
Well, what if there was someexploit or something that
reversed it?
At least?
Again, it goes back to thelayers If you did your part and
you encrypted your informationand then there was a breach or
(20:02):
something happened, well thenthey got scrambled data so they
didn't technically breach it.
That's what I'm getting at asfar as the layers go.
The same thing like when you'reusing plaintext email or you're
using Gmail or something andyou don't have encryption.
You could add for veryinexpensive, sometimes free
encryption on top of that tothen add that extra layer of
(20:26):
protection.
There's things that we all cando, and that's my point.
We should be doing orimplementing as many layers as
possible to protect ourselves.
I think that's generally goingto be a good thing and go in the
right direction.
Blake Rea (20:43):
Yeah, there's no simple approach to security.
There's no one shoe fits.
There's always constantassessments that have to happen.
Evaluations, Obviously, itcomes back to the human
principle.
Are you doing enough?
(21:05):
We've talked before about a lotof the hacks and exposures
happened from a human element.
Ironically, I don't know.
We talked about the lastpodcast, Caesars MGM.
(21:26):
Did you hear about how thatactually happened?
They actually found out how ithappened.
Go ahead.
The kids that were hacking themwere apparently super young.
They were anywhere from 16 to20-year-old kids.
What they did was they went onan info website and they found
(21:47):
an executive.
They also went to one of thehelp desks, or they called the
help desk and said hey, my nameis executive, I'm locked out of
my account, Like will you resetmy email password or reset my
password or whatever.
It was that simple.
Craig Petronella (22:08):
So social engineering at its best.
Blake Rea (22:11):
Right, yeah, it was that simple.
There's nothing sophisticatedabout 20-year-old kids calling
to help desks for this casinoand chitting the password.
So, yeah, I mean people like tobe trustworthy.
It's a character trait thatpeople like to possess.
(22:36):
People like to be trustworthy.
People like to take things atface value, because some people
they ignore the bad things thatgo on in this world because they
live in a bubble, I guess isthe easy way to say it.
But people like to betrustworthy, people like to feel
(22:57):
like they're being honest topeople and they feel like they
get back what they give out inthe world.
It's pretty common, but sosomebody just in their mind,
trying to do the right thinghelp this executive out ended up
being the wrong thing.
Craig Petronella (23:15):
Yeah.
So it goes back to what I'vesaid before many, many, many
times.
If you're in that position,you're that help desk agent.
Just pick up the phone and callthe executive.
Blake Rea (23:26):
Yeah, call, or just have policies in place that you
know.
Okay, I'll reset your password.
It has to go back to your email, right, yeah?
Craig Petronella (23:34):
But it goes back to what's the saying Trust,
don't trust, verify.
So never assume that thisperson on the other end of the
phone is who they say they are.
Verify it.
How do you get them to provethey're who they are?
I have said with your cellphone providers everyone
listening should have a pinnumber with their mobile carrier
(23:57):
to prevent SIM swap attacks.
Sim swap attacks are stillcommonplace now.
Don't use your phone number toget one-time pins to certain
things.
Now, I know in certainsituations it's unavoidable.
It's kind of comical to me wherebanks often are the ones that
you think of a bank or at leastfor me, you think of a bank as
(24:20):
bank encryption or bank gradesecurity.
You think banks should have thebest right, right, but in
working with banks I'm no blank,in working with banks.
I'm reminding him of a story,of a test we did.
Oh God, it's not true.
It's just don't assume againthat your bank has got the best
(24:42):
security, because they don't.
I'm not going to call out asingle bank, but I'm just saying
that again, don't trust thatyour provider, your company,
your vendor is providing you andprotecting everything.
Verify it, get them to prove itand do your own part.
Like I said when I was goingwith this little tangent was
(25:03):
that certain websites, certainbanks they force you to use the
text SMS, unencrypted, one-timepassword to your phone.
They don't use a more secureauthenticator app, for example.
So I get it.
I know that you have to use itin certain situations, but try
to limit it.
If you have the option to notuse text for one-time pins, use
(25:27):
the software that's much moresecure and add additional pins
and security with your mobileprovider to prevent a SIM swap
attack.
Because now, with banks andcrypto and everything else, we
do so much on our mobile devices, we depend so much on our
mobile phone number.
You've got to do what you canto protect it.
(25:48):
Because, just like with thatstory that Blake shared, it's
often the same story with theSIM swap.
Oh, I'm in a bad spot, I lostmy phone, I need you to send me
a new SIM or help me move myphone.
And that's how SIM swap attackshappen the hackers.
They persuade in socialengineer, the rapid, the mobile
carrier, to do something withthe phone number and then, guess
(26:12):
what?
They just activated thehacker's phone and now they have
access to all your pins.
So then they go a step furtherand then they keep going through
the layers.
So just try to be smart andimplement as many layers as you
can.
Blake Rea (26:29):
Yeah, the human element is really important to
any attempted breach.
I remember one.
There was one that was going onFacebook and me personally.
I know this is probably theworst thing to say publicly, but
I like to mess with people whotry and mess with me.
So somebody had sent me amessage saying oh, I'm locked
(26:51):
out of.
I need help resetting mypassword.
It was like a Facebook messageor something, something silly.
I need help resetting mypassword.
I'm like I don't know you.
How am I going to help you withsuch a password?
Oh, facebook told me to contactyou.
They gave me a little list ofpictures of people to click and
you were one of them.
It's like oh, ok.
And then they're like can youprovide me the six digit code
(27:15):
that just went to your phone?
And I mean pretty much thewhole time.
I mean I was just giving themfake, fake six digit numbers and
pretending like oh, my God, Iwant to help you.
You know like I'm sorry, I liketo troll people that troll me.
So we literally tried for likehours, like I just kept giving
them no, I don't know why it'snot working.
(27:36):
Like this is the number thatI'm getting texted, you know.
And then eventually they justgave up.
Right, you know there's a humanelement.
Right, that has to happen inalmost every attempted intrusion
, you know.
So, don't be that human element, you know?
I mean if something is weird.
Craig Petronella (27:55):
Back to the training and testing that we've
always talked about.
You just constantly have totrain and test your people and
yourself so that you get intothat muscle memory and that that
just that reaction is again set.
I know what you're saying,blake.
I mean it's human nature andpsychology to want to help
people and I think they and itdoes go against the grain and
(28:18):
the psychology of your kind ofyour roots, right, your, your
DNA but you have to train andtest and drill yourself to
protect yourself and your, yourbank is not not going to ask you
in an email to give you yoursocial security number or pin
number or something Right?
So be very cautious and alwaysagain verify.
(28:40):
Don't immediately trust thatwhoever's on the other end is
who they say they are, and doyour part, because the more you
do your part, the less likelyyou are to become a victim.
Blake Rea (28:53):
Yeah, yeah.
And at that, at that point Imean there's a lot more on the
line right, like if you do thewrong thing, if you open up your
company to some huge exploit orsome attack, I mean who knows
what could happen.
You know your, your livelihoodis at stake.
At that point, if you know youopen a door that look at look at
(29:15):
that from a business ownerperspective.
Craig Petronella (29:17):
Let's say you're a small business and
you're you're working withsensitive information.
Or let's say you're a medicalcompany.
You know, I heard on the newsearlier today the Lazarus group
the people responsible for thecasino hack they are are
basically hoarding andcollecting cryptocurrency and
(29:38):
their next projected victim isthe healthcare industry
hospitals, medical.
You know they're going afterthem for ransomware and
ransomware payments so that theycan hoard more Bitcoin and more
and more crypto.
My point is that you know wejust have to go through the
exercises and keep drilling thisstuff into the human side of
(30:00):
things to prevent that malwarefrom being able to be dropped.
You know, I know we're all busyand everybody's working
multiple hats and multiple jobs,but you could have the best
security and if you you're humanside, you know it goes back to
people, process and technology.
We've talked about this.
If your people are not trainedand they hand over the keys to
(30:22):
the bad guys, well, I mean,there's only so much the
technology leg of the stool cando, right.
I mean, yeah, you can rely onXTR and hope that that's, you
know, contained and.
But there could be more socialengineering and impersonation
that can happen to furtherdeepen the hack, right?
(30:44):
So, like you know, like if youpicture you're on the other side
and you're the bad guy, you'rethe hacker.
If you do something and itdoesn't work, you shift gears to
do something else, or maybe theperson you're talking to is too
well versed and trained, so youfind another victim and you
look, you look through socialengineering, social networks and
(31:06):
LinkedIn and Facebook, and youfind another executive that you
can prey on and see if thatperson, he or she, is going to
fall back.
So my point is that these, thesehackers nowadays are it's their
day job to do this stuff.
You know, they're the ones thatare, like you said, they were
kids, they're younger, 16 to 20,you know, they may be in a
(31:27):
country that is a poorer country, and this is this is what they
do for work.
They're actually in the States,okay, so so they're in the
States and they're doing thisfor work.
You know they're getting paid.
You know, I, I, I remember whenwe were looking, we're
researching the MGM hack lastweek.
It's just, it's crazy how it's.
(31:49):
It's become like a businessmodel, and there's also a
business model for basicallytaking down your, your
competitor too, like you couldbuy like ransomware kits online
and try to you know, just pummelyour.
Yeah 商一直 안.
It's a nasty place out there.
Blake Rea (32:11):
It is weird to think that little Johnny on your son's
soccer team may be taking downcorporate yeah, fortune 50
companies.
Here with millions in bitcoinsis hanging out.
Craig Petronella (32:28):
If your company isn't training and
testing your folks and doingthese tabletop exercises and
these pen tests, if you're notpaying the money and investing
in your company, all it takes isone person on your staff to
make a mistake.
If you think about that, ifyou're 10 people, you have to
train those 10 people.
(32:49):
It's your responsibility as theowner to provide the training
and the security controls toprotect your systems.
The more sensitive theinformation you have to protect,
the more at risk you have.
If you think about it, ifyou're a small company and your
secret sauce is really howyou're surviving, because if
competition had all of yoursecrets and intellectual
(33:09):
property, what else do you haveother than price to compete on?
If somebody on your team isn'ttrained and hands over all your
intellectual property to acompetitor or to a bad actor
group who sells it to acompetitor, my point is that
your survival as a smallbusiness is limited.
Think about if you're 100people or 1,000 people or 10,000
(33:33):
people.
You're larger companies.
Now you just exponentiallyamplified your risk factor
because now you got 10,000 orhowever many employees.
You have to make sure theydon't do the wrong thing.
It gets really complicatedreally fast.
Blake Rea (33:52):
Yeah, just stay alert out there.
Stay alert, Trust.
Nobody trust nothing when itcomes to your personal
information, data, your keys toyour castle.
If it seems weird, if it seemsodd, there's a reason why.
Craig Petronella (34:18):
usually, yeah, and going back to the consumer
level or the personal level, themore you listen and implement
these layers, the more not onlyunhackable you become, but you
become more unhackable at apersonal level too.
(34:39):
What I mean by that is, let'ssay, something happens with a
skimmer at a gas station andthey try to steal your identity.
If you have more protectionsaround your identity and you
have monitoring, you're lesslikely to become an identity
theft victim.
My point is that, like Blakewas saying earlier, you have to
(35:01):
think about all the software andall these different things on
your computing devices, but youalso have to think about it on
other areas, like your car andwhat gas station you go to.
You know what I mean.
You have to look at all thisstuff.
Blake Rea (35:19):
I've seen those little pictures or videos on the
internet of people lifting upthe keypads on the card readers
that are literally one-for-oneclones of the text, as like new
fear unlocked.
Every time I go to a gasstation I'm trying to rip the
keypad off.
Craig Petronella (35:40):
Some of them have a sticker like oh, it's
tamper proof, it's got theorange sticker or whatever.
But again, you have to do.
You think that somebody couldbuy an orange sticker on Amazon
or somewhere and put thatsticker there?
My point is trust no one.
You've got to protect yourself.
Then I think some people areprobably listening and they're
like oh, I'm just going to notworry about that, I'm going to
(36:04):
rely on my credit card companyto protect myself.
And yeah, the credit cardcompany may have like an
anti-fraud kind of guaranteewhere you're not responsible for
that.
But I'm not talking about justthat transaction, I'm talking
about the after effects ofidentity theft that could happen
from that event.
So it's not only where do youfrequent, where do you get gas,
(36:28):
it's who you do business with ata personal as well as a
business level and limit theamount of information you share
and demand privacy and security.
If a vendor or somebody you'redoing business with on a
personal or a business levelsays, hey, I need you to fill
out this paperwork and you seethis paperwork and it looks
(36:49):
sensitive to you, meaning youdon't want some of this
information just blatantly onthe internet about you or your
business or whatever.
Push back and say, look, howare you securing this
information for me?
And if they're saying, oh, justemail it back to me.
No, push back, email's notsecure.
Why would you send all thisinformation?
(37:09):
First of all, push back on whythey even need the information
and push back on the methodologyaround how you send it to them,
and then also push back on whatare they doing to ensure your
protection and your privacy andyour security.
Because if they don't have goodanswers to those questions and
they don't, in my mind, scorewell, then think again about
whether you should do businesswith them, because if they don't
(37:31):
have your best interest atheart, well, that's another risk
factor for you to get breachedinformation.
Blake Rea (37:40):
I also think, going back to financial institutions,
I think these financialinstitutions just know your
credit card information isprobably likely already in a
data leak, whether it's thiscompany, that company, whatever
and the way that they'vecombated that pretty recently is
(38:01):
implementing the lockingfeatures on your card, where you
lock your card after use, andthat's something that I
personally do.
Craig Petronella (38:13):
You can call it freezing right, so you could
freeze your card, yeah freezeyour card.
Blake Rea (38:17):
I literally will do that for every single one of my
cards.
I will literally be that guy inline holding up the line.
Hold on, let me unlock my card.
Sorry for anybody who's behindme, but it's a scary world and a
lot of times, when they buythis information through the
(38:38):
dark web or whatever, they'lljust go through a list of them
and then, if it's declined,they'll delete it.
If it's declined, they'lldelete it.
Oh, and then this one worksright.
Okay, cool, let's hang on tothis one.
Craig Petronella (38:54):
So you made me think of something.
Have you heard about thesecurity flaws around Hyundai
and Kia vehicles?
Blake Rea (39:02):
No, but my dad has a Kia, so I'm curious.
Craig Petronella (39:06):
I think Tesla is somewhat affected too.
So I was reading some securityinformation I think it was a day
or two ago and they were sayingthat the security is so bad
with and these this includesbrand new Kia and Hyundai
vehicles too.
The security is so bad with the, the lack of encryption with
(39:29):
their key fobs and things likethat that car thieves.
It's not just like single digitpercentage increases of thefts,
it's like exponential in thehundreds of percentages of how
easy car thefts in those brandsare occurring right now.
And if you think about that asa consumer, you know you might
(39:50):
really like one of thosevehicles that you know.
Maybe they're, it's a goodprice, or maybe you feel it's
good value, and they may be true.
But again, as a consumer youhave to think about well, if I
buy this car or truck orwhatever it is, I'm now trusting
that company to keep me safe inmy vehicle.
Or if I go to a restaurant orwherever and you know, a few
(40:14):
years ago I never would havethought like, oh, you know, my
vehicle is going to get stolenor whatever I pretty much trust
that my vendor and my key fob is, you know, I lock my doors and
stuff and you feel like you'vedone your part right.
Well, when I read this article,I was like, oh my goodness, I'm
like.
You know, you can have thisbrand new car and you can lock
it and wherever and it's justlike child's play for thieves to
(40:37):
not only steal the contentsinside the car if you've got
packages or whatever in there or, god forbid, you're in medical
and you've got a laptop in thereand you lock it.
You thought you did good, youlocked it up or whatever, but
for whatever reason, you didn'tencrypt it or do the other
layers again right, that we'retalking about and that thing
gets out there.
(40:57):
Well now, not only did youtrust that vendor, in this case
Kia and Hyundai, but now yousuffered a breach because of
their lack of security, right?
So that's what I'm saying.
Like, think about this at apersonal level, where, what if
my car can get opened from someadversary and I've got stuff in
(41:19):
there?
What am I doing to protect notonly my stuff, but what am I
doing to protect my car?
Are there additional thingsthat I can do to protect myself?
You see what I'm saying.
So it's just kind of a weirdworld.
But yeah, I think we need topush back on the dealerships and
on the car manufacturers like,look, I really like this car, I
(41:40):
would buy this car.
But here's the latest headlinesand this is like the number one
and they're not getting thesecars back.
By the way, they're likethey're going to chop houses and
they're divvying these cars upand selling them for parts and
stuff.
And one extreme could be at theconsumer level.
Oh well, that's why I haveinsurance and that's they're
going to give me.
And, yeah, that might be anoption as far as depending on
(42:02):
your coverage and things likethat.
But that's not the point.
The point is that we need to domore as consumers to push
pressure on our vendors and whowe buy products from and
services from to take oursecurity and take it more
seriously and do better toprotect us.
Blake Rea (42:20):
Yeah, I mean 100% agreed.
And then you know we've talkedabout this and hopped on this a
lot, but the human element, youknow, again, like I think I read
an article somewhere that theinstance of car break-ins
increased because of, you know,somebody looking into the car
(42:41):
and seeing a purse or a backpackor a box you know an Amazon box
, or so you know something thatyou can do that takes zero
effort really is if you're goinginto the grocery store and
you're like, oh, let's me leavemy work laptop, my work backpack
here, you know you just got offwork, boom, it's in the back
(43:02):
seat.
Put that in your trunk.
You know, I know that soundsreally simple, but you know, if
somebody who's getting ready tobreak into your car looks into
your car through the windowbecause they're just not going
to go oh that's a, you knowthat's an Audi, or oh that's a
BMW or Mercedes Boom, smash.
You know, like, doesn't work.
(43:22):
Like that.
They look into your car and seewhat they're going to get access
to if they're not deciding totake your car and, like Craig
said, to a chop shop and youknow, get in and do the entire
car jacking.
That's a lot of work andthere's a lot of risk.
You know it's easy for themjust to knock the window out and
grab your your bag, right?
That's a lot easier and it's,you know, a lot less sketchy,
(43:47):
right, because then they have totransport that vehicle to the
chop shop when you just reportedit missing, right?
So there's a lot more addedrisk, but something as simple as
putting those things in yourtrunk and keeping your car clean
, you know with no visibility.
Craig Petronella (44:02):
I would agree with that.
The only part that I wouldn'tagree with is don't put a laptop
in the trunk and let, like youknow, if you've got it end to
end encrypted and you're reallycertain that you feel that that
laptop has enough safeguards.
Do an experiment and just handit to somebody and just kind of
think that if you were to handthis to somebody, do you feel
(44:23):
that everything is protectedwell enough that you won't
suffer a breach?
Obviously, put your, yourvaluables and things like that
out of out of sight.
Put them in the trunk, yeah.
Blake Rea (44:32):
Carry them, carry them with you, you know.
Yeah, the whole point I wastrying to make is just get them
out of, get them out of vision,get them out of sight.
Yeah, don't leave that sittingin the front seat.
Craig Petronella (44:44):
I think the other part that's more alarming,
though, is that you can or abad actor can buy these
repeaters to legitimately repeatthe signal from your your key
fob and open your door.
So it's not a matter of theybreak the window as often
anymore.
This is more higher level crime, where they're buying
(45:04):
electronic devices to thenrepeat the signal, either bounce
it off from your valid key fobin the restaurant If it's not
far enough away.
So that's why we talked aboutFaraday bags and protecting your
keys and using RFID protectionsaround your wallets and things
like that.
Now, again, I mean yeah, itgoes back to layers, but I don't
know if everybody wants tocarry a Faraday bag with them.
(45:26):
Maybe it boils down to layers,like we talked about.
What do you, what do you wantto do to make it more difficult
and what are you willing to doit?
So you're willing to go to tryto make yourself as unhackable
as possible.
Blake Rea (45:41):
Yeah, and those repeaters are cheap $125 on
Amazon.
They're not illegal to owneither.
So, you know, that's, that'scrazy.
So they were selling them atDEF CON.
Craig Petronella (45:53):
Yeah, I think you can get a Faraday bag for 15
, 20 bucks on Amazon.
So yeah, you know, as anexperiment for homework for
listeners, you can try do anexperiment.
Get one of the repeaters, buy a$15, $20 Faraday bag and see if
you can get it to work on yourown vehicle.
You know that'd be a prettyinexpensive experiment to do on
(46:15):
yourself to see if you see howmuch at risk you are.
Blake Rea (46:20):
Yeah, yeah, absolutely.
I mean, don't make it easy,don't make yourself the target,
you know, because if you're thelow hanging fruit, you know
these people have to eat.
Craig Petronella (46:33):
Yeah, and then you know, consider some type of
camera or recording device onyour vehicle.
You know I know they make dashcams now that go both.
They have two cameras, oneinside, one outside.
You know you can considersomething like that.
But, yeah, the more, the morestuff you have from a security
(46:53):
perspective, more layers you putinto place, the more evidence
you can collect that, god forbid, something does happen.
You know, then you've got morestuff to catch the criminal.
Blake Rea (47:04):
Yeah, I've seen some of these apps now, some of these
car apps for the new moderncars.
Like you can lock the car fromyour phone and then it'll also
tell you, you know, if youralarm's going off, like, oh,
like my car, you know, somebodyjust opened the car door and the
alarm went off, or tried toopen the car door, you know.
And then there's a button thatsays, like you know, press.
(47:25):
You know, call 911, orsomething.
Like you know, they're gettingup there trying to make these
things more helpful to you, butjust be careful out there, you
know.
Craig Petronella (47:35):
Yeah, absolutely.
Blake Rea (47:38):
Well, I think we went a little off topic, but we
still had some good information.
Craig Petronella (47:42):
Yeah, agreed.
Well, stay tuned for our nextepisode.
We'll have another one for nextweek and maybe we'll do a short
in the meantime.
Blake Rea (47:49):
Yeah, yeah, all right , take care, bye.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.